Yangseo Choi

PE File Header Analysis-Based Packed PE File Detection Technique (PHAD)

In order to conceal malware, malware authors use the packing and encryption techniques. If the malware is packed or encrypted, then it is very difficult to analyze. Therefore, to prevent the harmful effects of malware and to generate signatures for malware detection, the packed and encrypted executable codes must initially be unpacked. The first step of unpacking is to detect the packed executable files. In this paper, a packed file detection technique (PHAD) based on a PE header analysis is proposed. In many cases, to pack and unpack the executable codes, PE files have unusual attributes in their PE headers. In this paper, these characteristics are utilized to detect the packed files. a characteristic vector (CV) that consists of eight elements is defined, and the Euclidean distance (ED) of the CV is calculated. The EDs of the packed files are calculated and represent the base threshold for the detection of packed files.

Integrated DDoS Attack Defense Infrastructure for Effective Attack Prevention

Currently attackers are trying to paralyze servers and networks with various types of DDoS attacks. For example, on 7th July in 2009, a DDoS attack occurred against 48 web sites in South Korea and U.S.A. In this attack, the attack traffic pattern and the botnet construction methods are different from that of previous version. Due to the differences of the attack patterns, the 7.7 DDoS attack was not detected easily. These days, such new types of sophisticated attacks occur and it???s not easy to detect those attacks effectively. In fact, it???s been more than ten years since DDoS attacks discovered in late 1990s. However, DDoS attack is still one of the biggest threats in Internet infrastructure and IT environment. It is because almost all the DDoS defense techniques are not focused on general characteristics and infrastructure but on specific characteristics in each attack. In order to develop a general purpose DDoS defense technology, all the attack process and general characteristics should be analyzed. Furthermore, based on the each attack phases and location of network topology also have to be analyzed. For that, in this paper, we show a general DDoS attack process and each phase in this process. For each phase, we propose DDoS attack prevention requirements and finally suggest the integrated DDoS attack defense infrastructure. For the detailed explanation, we classify attack detection techniques into three categories.

AIGG Threshold Based HTTP GET Flooding Attack Detection

Distributed denial-of-service (DDoS) attacks still pose unpredictable threats to the Internet infrastructure and Internet-based businesses. As the attackers focus on economic gain, the HTTP GET Flooding attacks against the business web servers become one of the most frequently attempted attacks. Furthermore, the attack is becoming more sophisticated. In order to detect those attacks, several algorithms are developed. However, even though the developed technologies can detect the sophisticated attacks some of them need lots of system resources [12,13]. Sometimes due to the time consuming processes the whole performance of DDoS defense systems is degraded and it becomes another problem. For that, we propose a simple threshold based HTTP GET flooding attack detection algorithm. The threshold is generated from the characteristics of HTTP GET Request behaviors. In this algorithm, based on the defined monitoring period (MP) and Time Slot (TS), we calculate the Average Inter-GET_Request_Packet_Exist_TS-Gap (AIGG). The AIGG is used for threshold extraction. For effective detection, the optimized MP, TS and the threshold value, are extracted. In addition, the proposed algorithm doesn’t need to analyze every HTTP GET request packet so it needs less CPU resources than the algorithms which have to analyze all the request packets.

A practical approach for detecting executable codes in network traffic

The research on the detection of zero-day network attack and the signature generation is highlighted as an issue according to the outbreak of the new network attack is faster than a prediction. In this paper, we propose a very practical method that detects the executable codes within the network packet payload. It could be used as the key function of the signature generation against the zero-day attack or the high speed anomaly detection. The proposed heuristic method in this paper could be expressed in terms of visually classifying the characteristic of the instruction pattern of executable codes. And then we generalize this by applying the discrete parameter Markov chain. Our experimental study showed that the presented scheme could find all types of executable codes in our experiments.

Function Call Mechanism Based Executable Code Detection for the Network Security

The general method in which attackers obtain the control authority of the remote host is through the exploit code. Motivated by the viewpoint that the exploit code normally contains some executable codes, we propose a method of detecting the executable codes included in packets for the network security. Because some parts in the executable codes essentially include the function call related instruction patterns, we propose an approach detecting the instruction patterns following the function call mechanism. We have implemented a prototype and evaluated it against a variety of the executable and non-executable codes. The results show that the proposed method properly classifies the executable and non-executable codes.

Executable Code Recognition in Network Flows Using Instruction Transition Probabilities

The ability to recognize quickly inside network flows to be executable is prerequisite for malware detection. For this purpose, we introduce an instruction transition probability matrix (ITPX) which is comprised of the IA-32 instruction sets and reveals the characteristics of executable codes instruction transition patterns. And then, we propose a simple algorithm to detect executable code inside network flows using a reference ITPX which is learned from the known Windows Portable Executable files. We have tested the algorithm with more than thousands of executable and non-executable codes. The results show that it is very promising enough to use in real world.

Network-based real-time connection traceback system (NRCTS) with packet marking technology

Recently the number of Internet users has very sharply increased, and the number of intrusions has also increased very much. Consequently, security products are being developed and adapted to prevent systems and networks from being hacked and intruded. Even if security products are adapted, however, hackers can still attack a system and get a special authorization because the security products cannot prevent a system and network from every instance of hacking and intrusion. Therefore, the researchers have focused on an active hacking prevention method, and they have tried to develop a traceback system that can find the real location of an attacker. At present, however, because of the Internets diversity real-time traceback is very difficult. To overcome this problem, a traceback system is proposed in this paper that have a possibility to be adapted to the current Internet environment. The system is a Network-based Real-Time Connection Traceback System (NRCTS) that uses the packet marking technique.

Intrusion Detection System of Network Based on Biological Immune System

Recently, the trial and success of malicious cyber attacks has been increased rapidly with spreading of Internet and the activation of a internet shopping mall and the supply of an online internet, so it is expected to make a problem more and more. Currently, the general security system based on Internet couldn`t cope with the attack properly, if ever, other regular systems have depended on common softwares to cope with the attack. In this paper, we propose the positive selection mechanism and negative selection mechanism of T-cell, which is the biological distributed autonomous system, to develop the self/non-self recognition algorithm, the anomalous behavior detection algorithm, and AIS (Artificial Immune System) that is easy to be concrete on the artificial system. The proposed algorithm can cope with new intrusion as well as existing one to intrusion detection system in the network environment.

Network abnormal behaviour analysis system

As cyber attacks have increased in recent years, network forensics, which collects and analyses network packets as well as digital forensics, has been studied. However, high-speed networks such as 1 or 10 Gbps networks have many network flows. For example, a 1 Gbps network has hundreds of millions of network flows per day. Analysing network traffic in this situation is very difficult and time-consuming. In this paper, we propose a system that can analyse network abnormal behaviour quickly and easily. We first propose a system that stores the TCP flag when generating network flows. Second, we present some ways to use the TCP flag in network flows to analyse network anomalies such as persistent outbound connections.

Hierarchical network signature clustering and generation

Nowadays we face a lot of malware. When we access web sites, they are secretly downloaded by drive-by-download and when we receive emails, the attached files contain malware. The malware cause a lot of damage to the infected hosts and networks. So, detecting malware is very important. However, recent malware are made not to be detected by an Intrusion Detection System (IDS). In order to prevent this problem, it is very crucial to generate new signatures fast when new malware are discovered. This paper proposes a method to make a hierarchical signature cluster tree from the existing network signatures and suggests a scheme to make new signatures fast by comparing with the hierarchical signature cluster tree when new malware are discovered.